This week we are announcing several new Azure networking services and features to provide customers greater performance, higher availability, better security and more operational insights. We will continue to innovate to make it even easier and more seamless for customers to run their services in the public cloud. For an overview of all our exciting Azure Ignite announcements please see Jason Zander’s blog post.
Higher Performance
Azure has been developing Microsoft’s cloud scale data center infrastructure for over nine years. Early on we realized that building network infrastructure for mega scale data centers and ever increasing data transfer rates required fundamental shifts in networking technology. We have been working across the industry to promote and develop cutting edge networking solutions including Microsoft developed hardware solutions.
Today we are announcing break-through advancements to our entire global server fleet that will improve networking bandwidth performance 33% to 50%. This is achieved by utilizing hardware technologies such as NVGRE offload which harnesses the network processing capabilities of the hardware. Windows and Linux VMs will experience these performance improvements while returning valuable CPU cycles to the application. Our world-wide deployment will complete in 2016 and once completed we will update our VM Sizes table to reflect these new performance benefits.
To provide even more performance, we are very excited to announce the Public Preview of Accelerated Networking. Accelerated Networking provides up to 25Gbps of throughput and drastically reduces network latency up to10x! Applications will benefit from a new generation of hardware technologies including SR-IOV, allowing VMs to communicate directly to the hardware NIC completely bypassing the Hypervisor’s virtual switch. Along with higher bandwidths and lower latencies, applications will experience reduced jitter and improved Packets Per Second (PPS) performance. With Accelerated Networking, Azure SQL DB In-Memory OLTP transaction performance improved 1.5X. Also with this preview, DS15v2 and D15v2 VM sizes provide up to 25Gbps of network throughput. More details on regional availability and a link to sign up for the preview are available at Accelerated Networking for a virtual machine.
In addition, Azure Storage users will benefit from substantially increased IOPS performance based on these advancements, combined with newly developed storage specific offloads. Hardware now efficiently performs data transfers up to the line rate of the NIC. The roll out for Storage will also complete in 2016.
We are announcing the general availability of Virtual Network Peering (VNet Peering). VNet Peering connects Virtual Networks (VNets) in the same region, enabling direct full mesh connectivity. VMs in the peered VNets communicate with each other as if they are part of the same VNet, thus benefiting from high bandwidth and low latency. Hub & Spoke topologies are supported with Transit Routing through gateways. The VNet without a gateway still has cross-premises connectivity via the gateway in the peered VNet. VNet Peering works across subscriptions allowing for simplified service management.
This allows consolidation of VPN gateways and network virtual appliances in the same region, simplifying management and reducing costs. User-Defined Routes (UDR) and Network Security Groups (NSGs) can manage fine grain control between the peered VNets. Vnet peering enables co-existence of “Classic” VNets and Azure Resource Manager VNets. This allows for incremental adoption to the Azure Resource Manager model.
Many enterprise customers use ExpressRoute to connect their private networks to Microsoft. ExpressRoute is supported by a large ecosystem of global telecom providers, cloud exchanges and service providers in over 35 locations. Today, we are introducing the UltraPerformance Gateway SKU for ExpressRoute that supports up to 10 Gbps throughput. This is a 5x improvement over the existing ExpressRoute HighPerformance gateway with a 99.95% availability SLA. With the UltraPerformance Gateway, customers can deploy even more networking intensive services and workloads into their virtual networks.
Cloud applications with demanding networking and massive real time data access requirements will greatly benefit from these new performance enhancements. We are ready for your workload.
IPv6
Azure now supports Native IPv6 network connectivity for applications and services hosted on Azure Virtual Machines. The demand for IPv6 has never been greater with the explosive growth in mobile devices, billions of Internet of Things (IOT) devices entering the market, along with new compliance regulations. IPv6 has been used by internal Microsoft services such as Office 365 for over three years. We are now offering this feature to all Azure customers. Native IPv6 connectivity to the virtual machine is available for both Windows and Linux VMs.
Higher Availability
Our new Active-Active Virtual Private Network (VPN) Gateway for the High-Performance VPN gateway SKU is recommended for production workloads. Availability requires a complete end to end perspective that includes the customer’s on-premises VPN devices and using different service providers to connect to the Active-Active VPN gateway. Each VPN gateway has two active instances. Customers can now implement dual redundancy for cross-premises VPN connections, increasing the availability of their VPN connections to their Azure VNets. All customers should consider adopting the new Active-Active VPN Gateway.
Our customers need more degrees of freedom for their Azure Load Balancer configurations. Today, we are making several announcements to increase design flexibility, enable new scenarios, and allow efficient resource consolidation.
We are announcing general availability of multiple VIPs on internal load balancers and new port reuse options across public and internal load balancers. In the following week, we will be previewing two additional abilities in specific regions: Multiple IP addresses on a Network Interface Card (NIC) and enabling all NICs on a VM to have a Public IP address on the NIC or through the load balancer. Check the service update page on the availability of these abilities.
Network Virtual Appliances (NVA) can now offer more flexible configurations. A firewall appliance can expose an Internet facing service on NIC 1 and an internal management service on NIC 2 using the same backend machines. In addition, an NVA can use a single NIC to host multiple services by securing individual private IP addresses per customer/service. Security can be further enhanced using NSG rules targeted at individual IP addresses.
Another use case is SQL AlwaysOn with Multiple Listeners which is now available in Preview. You can also host multiple availability groups on the same cluster and optimize the number of active replicas.
Azure DNS
We are announcing the GA release of Azure DNS. Customers can now host domains in Azure DNS and manage DNS records using the same credentials, APIs, tools, billing and support as other Azure services. Azure DNS also benefits from Azure Resource Manager’s enterprise-grade security features, enabling role-based access control and detailed audit logs. Azure DNS supports multiple record types including, A, AAAA, CNAME, MX, NS, PTR, SOA, SRV and TXT and comes with a 99.99% availability SLA.
Azure DNS uses a global network of name servers, providing exceptionally high availability, even in the event of a multi-region failure or network partitioning. DNS queries are answered by the closest available DNS server for the fastest possible query performance.
With Azure DNS, IT Pros can manage DNS zones and records using either the Azure Portal, or through scripting using Azure PowerShell or the cross-platform Azure CLI. Developers can use the Azure DNS REST API or SDK to automate DNS record provisioning as part of their application workflows. In both cases, fast DNS record provisioning avoids the need to wait for new DNS records to propagate to the name servers. Customers can use the SDK to automate DNS record provisioning as part of their application workflows.
More Secure
Last year we introduced Application Gateway, an Application Delivery Controller (ADC) offering a Layer 7 load balancing as a service. This complements Azure Traffic Manager (DNS load balancer) for load balancing across geographical regions and Azure Load Balancer for layer 4 load balancing within a region (availability set). Over the past year we have enhanced Application Gateway to better address web application requirements. These capabilities include SSL termination, round robin load distribution, cookie based session affinity, URL path based routing, ability to host multiple web applications on the same load balancer, rich diagnostics with access and performance logs, WebSocket support, VM scale set support and the ability to define user configurable health probes.
In our continued effort to provide enhanced application security, Application Gateway now supports end to end SSL encryption and user configurable SSL policies. Customers can secure end to end communication from user requests to the backend using SSL/TLS, while taking advantage of routing rules set on the Application Gateway. The user’s SSL request is terminated at the gateway, which applies user configured routing rules and then re-encrypts the request before sending it to the backend. User configurable SSL policies allows the customer to selectively disable older SSL/TLS protocol versions thus further strengthening the security profile of the applications behind the Application Gateway.
To provide even more advanced security to protect web applications from common vulnerabilities like SQL injection or cross-site scripting attacks, we are announcing the public preview of Web Application Firewall (WAF) as part of the Application Gateway service.
Application Gateway WAF offers simplified manageability of application security and comes preconfigured with protection from the most prevalent web vulnerabilities as identified by Open Web Application Security Project (OWASP) top 10 common vulnerabilities. Customers can run Application Gateway WAF in either protection or detection only mode. Application Gateway WAF also provides real time metrics and alert reporting to continuously monitor web application against exploits. Security rules customization and integration with the Azure Security Center will be available soon.
Network Monitoring and Diagnostics
As the cloud begins to mature it is important to offer not only the same networking performance but also the same level visibility and insights as on-premises solutions. We are committed in continually enhancing our capabilities in monitoring and diagnostics, empowering you to more easily manage your networks.
In continuation of our earlier announced capabilities in monitoring and diagnostics –
- Network Security Group events and counters
- SLB resource exhaustion event and Probe health status
- Application Gateway performance and access logs
- Audit logs for all Networking resources
We are releasing a series of new capabilities.
Customers can view performance metrics for an Application Gateway on the Azure Portal. The metrics requires no additional configuration. The current release supports continuous aggregated throughput statistics and additional metrics support will be available soon.
Customers can configure threshold based alerts on metrics to proactively monitor the network. An alert can send an email notification or invoke a web hook that can integrate with 3rd party messaging services.
ExpressRoute users can get operational insights into routing configurations and network peering statistics.
Improved diagnostics for Network Security Groups (NSGs) and Routes enable you to better diagnose complex network connectivity problems. Effective Routes provide an aggregated view of user-defined routes (UDRs), system and BGP routes that impact a VM’s network traffic flow
The ability to easily verify the correctness of network security settings is critical. The effective security rules view offers a comprehensive yet a simplified and intuitive way to understand the security rules as configured on a VM/NIC.
You can expect a lot more capabilities in the coming months.
Looking forward
The cloud is ever evolving and customers are deploying more demanding and complex workloads. This evolution means our mission and commitment is not an end-point but a journey. We hope you spend time exploring the new services, features and capabilities and provide your valuable feedback as we continue to create, enhance, and deploy new networking technologies to meet your needs.